On 08/27/2013 10:19 AM, Peck, Michael A wrote:
> For example I just installed Zynga "Words With Friends Free" from the Google
> Play Store and got the denial just by starting up the app.
> A lot of apps seem to like to run ps too, but that's a separate complaint.
> I turned on enforcing mode and the app seems to run fine even with the
> denials.
>
> type=1400 msg=audit(1377612264.272:9): avc: denied { getattr } for
> pid=1948 comm="com.zynga.words" path="/data/app" dev=mmcblk0p12 ino=773681
> scontext=u:r:untrusted_app:s0:c59,c256 tcontext=u:object_r:apk_data_file:s0
> tclass=dir
> type=1400 msg=audit(1377612264.960:10): avc: denied { getattr } for
> pid=1977 comm="ps" path="/proc/126" dev=proc ino=2231
> scontext=u:r:untrusted_app:s0:c59,c256 tcontext=u:r:zygote:s0 tclass=dir
> type=1400 msg=audit(1377612264.960:11): avc: denied { search } for
> pid=1977 comm="ps" name="126" dev=proc ino=2231
> scontext=u:r:untrusted_app:s0:c59,c256 tcontext=u:r:zygote:s0 tclass=dir
> type=1400 msg=audit(1377612264.968:12): avc: denied { read } for pid=1977
> comm="ps" name="cmdline" dev=proc ino=2539
> scontext=u:r:untrusted_app:s0:c59,c256 tcontext=u:r:zygote:s0 tclass=file
> type=1400 msg=audit(1377612264.968:13): avc: denied { open } for pid=1977
> comm="ps" name="cmdline" dev=proc ino=2539
> scontext=u:r:untrusted_app:s0:c59,c256 tcontext=u:r:zygote:s0 tclass=file
Yes, I don't have a problem with allowing getattr to /data/app.
ps is another matter as they have no business inspecting the /proc/pid
entries of other processes and that kind of thing has been leveraged for
exploits previously. So there I would tend toward dontaudit rules if
you just want to silence the log noise (but only if you don't want to
see those cases in your audit stream).
--
This message was distributed to subscribers of the seandroid-list mailing list.
If you no longer wish to subscribe, send mail to [email protected] with
the words "unsubscribe seandroid-list" without quotes as the message.
